Security Programs
Infosec¶
Link | Notes |
---|---|
Information Security Services functions | Each section within the Information Security Services function is compromised of numerous departments, each with their own functions to support the larger department |
Early Security for Startups | What should a startup without a security team do for security? |
Product / DevOps¶
Link | Notes |
---|---|
Netflix The Paved Road at Netflix | |
Netflix Netflix Culture Meets Product Security |
|
Netflix Scaling Appsec at Netflix |
|
Cruise Building a Container Platform at Cruise | Environments & Tenants, Infrastructure Boundaries, Platform Boundaries |
Cruise Container Platform Security at Cruise | Identity, Authentication, Authorization, Secrets, Encryption |
Cruise Container Platform Networking at Cruise | GCP Hybrid Connectivity Options |
Security maturity levels of Product Security Teams | Grouping dev teams into 4 security maturity levels |
Cloudflare Startup Security: Starting a Security Program at a Startup |
|
Compliance in a DevOps Culture | Integrating the necessary Security Controls and Audit capabilities to satisfy Compliance requirements within a DevOps culture can capitalize on CI/CD pipeline automation, but presents unique challenges as an organization scales |
AppSec Specific¶
Link | Notes |
---|---|
An opinionated guide to scaling your company's security | Clint's talk summarising approaches from multiple companies |
Uber The Path to Code Provenance | Strategy for ensuring we have a verifiable attestation of the origin of all code running in production |
The Art of Vulnerability Management | How to create a positive vulnerability management culture and process that works for engineers and the security team |
Beyond The Security Team | |
Implement Security Champions Programme | Main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes |
How we run our bug bounty program at Segment | |
A Guide to Threat Modelling for Developers | Clear and simple steps to help teams that want to adopt threat modelling |
Awesome Threat Modeling | |
Appsec Development: Keeping it all together at scale |
|
Creating Security Decision Trees With Graphviz |
Teams¶
Link | Notes |
---|---|
The Actual Cybersecurity Workforce Challenge | There is a cybersecurity skills crisis, but the answer is not to simply focus on creating more trained cybersecurity professionals |
Risk / Compliance¶
Link | Notes |
---|---|
The SOC2 Starting Seven | 7 things you can do now that will simplify SOC2 for you down the road while making security posture materially better in the immediacy |
Cybersecurity and the Board : A Fresh Perspective? | How to represent cybersecurity (or technology / information risks more generally) to the Board |
Prioritizing Cloud Risk Requires Context to be Effective | Prioritizing risk mitigation based on CIS output alone misses something critical: organizational context |
Open-Sourcing riskquant, a library for quantifying risk | |
Experimenting with visualizations and code risk overview |